[Community-sigs] new sig Win.Downloader.Dalexis
Shaun Hurley
shahurle at sourcefire.com
Wed Jan 28 16:07:21 EST 2015
Andrei,
Sig: Win.Downloader.Dalexis has been published.
Thank you for your submission,
Shaun Hurley
On Tue, Jan 27, 2015 at 10:32 AM, <andreisaygo at live.ie> wrote:
> Sig:
>
> Win.Downloader.Dalexis;Target:1;(0|1|2)>2,2;FF15????400083F8000F85????0000823D????4000010F82????000090909090;89E68B????2040005?68????4000FF2690909090;6C6F6B697461722E706462
>
> Hashes:
> MD5: 37a30abf6c798807ab896e7771ae130f
> SHA1: 5b25135c60c03be5449b3c7b1c8bfc6bcd74756e
> SHA256: f6c16ac3e0c062c3520f35016d4ece7db80ff724291f49a9b16cec3feb0e7c89
>
> Sig0:
> .text:00401198 FF 15 ?? ?? 40 00 call ds:lstrcmpiA
> .text:0040119E 83 F8 00 cmp eax, 0
> .text:004011A1 0F 85 ?? ?? 00 00 jnz loc_4012F0
> .text:004011A7 82 3D ?? ?? 40 00 01 cmp byte ptr dword_403215, 1
> .text:004011AE 0F 82 ?? ?? 00 00 jb loc_401E9D
> .text:004011B4 90 nop
> .text:004011B5 90 nop
> .text:004011B6 90 nop
> .text:004011B7 90 nop
>
> Sig1:
> .text:004017F8 89 E6 mov esi, esp
> .text:004017FA 8B ?? ?? 20 40 00 mov edx,
> ds:GetModuleHandleA
> .text:00401800 5? push edx
> .text:00401801 68 ?? ?? 40 00 push offset loc_401773
> .text:00401806 FF 26 jmp dword ptr
> [esi]
> .text:00401808 90 90 90 90
>
> Sig2:
> lokitar.pdb
>
> Regards,
> Andrei Saygo
>
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>
More information about the Community-sigs
mailing list